The Dell OS10 BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

An XCCDF Rule

Description

Accepting route advertisements belonging to the local AS can result in traffic looping or being black holed, or at a minimum using a nonoptimized path.

ID: SV-269851r1051938_rule
Version: OS10-RTR-000030
Severity: Medium
References: CCI-001368
Updated: about 2 months ago

Remediation Templates

Ensure all eBGP routers are configured to reject inbound route advertisements for any prefixes belonging to the local AS.

Step 1: Add to the prefix filter list those prefixes belonging to the local autonomous system.

OS10(config)# ip prefix-list PREFIX_FILTER seq 73 deny 20.10.10.0/24 le 32
OS10(config)# ip prefix-list PREFIX_FILTER seq 74 deny 40.10.10.0/24 le 32
Step 2: Configure the route map referencing the configured prefix list.

OS10(config)# route-map PREFIX_FILTER_MAP 10
OS10(config-route-map)# match ip address prefix-list PREFIX_FILTER
OS10(config-route-map)# exit

Step 3: Apply the route-map inbound to each external BGP neighbor.

OS10(config)# router bgp 10
OS10(config-router-bgp-10)# neighbor 123.1.1.10
OS10(config-router-neighbor)# address-family ipv4 unicast
OS10(config-router-bgp-neighbor-af)# route-map PREFIX_FILTER_MAP in
OS10(config-router-bgp-neighbor-af)# exit
OS10(config-router-neighbor)# exit
OS10(config-router-bgp-10)# template ebgp
OS10(config-router-template)# address-family ipv4 unicast
OS10(config-router-bgp-template-af)# route-map PREFIX_FILTER_MAP in
OS10(config-router-bgp-template-af)# exit
OS10(config-router-template)# exit
OS10(config-router-bgp-10)# exit

The Dell OS10 BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).

Description

Remediation Templates

A Manual Procedure